extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 17:58:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

Get rid of minimum column requirement

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-10-01 09:56:25 -07:00
parent 5aa4534fbe
commit 072f4752fc
12 changed files with 127 additions and 137 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -142,7 +142,9 @@ sub process_accounting_rule( ) {
$jumpchainref = 0; $jumpchainref = 0;
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) =
split_line1 1, 11, 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 }, $accounting_commands; split_line1 11, 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 }, $accounting_commands;
fatal_error 'ACTION must be specified' if $action eq '-';
if ( $action eq 'COMMENT' ) { if ( $action eq 'COMMENT' ) {
process_comment; process_comment;

10
Shorewall/Perl/Shorewall/Config.pm
View File

@ -1338,8 +1338,8 @@ sub supplied( $ ) {
# ensure that it has an appropriate number of columns. # ensure that it has an appropriate number of columns.
# supply '-' in omitted trailing columns. # supply '-' in omitted trailing columns.
# #
sub split_line( $$$$ ) { sub split_line( $$$ ) {
my ( $mincolumns, $maxcolumns, $description, $columnsref ) = @_; my ( $maxcolumns, $description, $columnsref ) = @_;
my ( $columns, $pairs, $rest ) = split( ';', $currentline ); my ( $columns, $pairs, $rest ) = split( ';', $currentline );
@ -1376,8 +1376,8 @@ sub split_line( $$$$ ) {
# #
# Version of 'split_line' used on files with exceptions # Version of 'split_line' used on files with exceptions
# #
sub split_line1( $$$$;$ ) { sub split_line1( $$$;$ ) {
my ( $mincolumns, $maxcolumns, $description, $columnsref, $nopad) = @_; my ( $maxcolumns, $description, $columnsref, $nopad) = @_;
my ( $columns, $pairs, $rest ) = split( ';', $currentline ); my ( $columns, $pairs, $rest ) = split( ';', $currentline );
@ -1405,8 +1405,6 @@ sub split_line1( $$$$;$ ) {
$line-- while $line > 0 && $line[$line-1] eq '-'; $line-- while $line > 0 && $line[$line-1] eq '-';
fatal_error "Invalid $description entry (too few columns)" if $line < $mincolumns;
push @line, '-' while @line < $maxcolumns; push @line, '-' while @line < $maxcolumns;
if ( supplied $pairs ) { if ( supplied $pairs ) {

12
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -82,7 +82,7 @@ sub process_tos() {
while ( read_a_line ) { while ( read_a_line ) {
my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) = split_line 6, 7, 'tos file entry', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } ; my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) = split_line 7, 'tos file entry', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } ;
$first_entry = 0; $first_entry = 0;
@ -159,8 +159,9 @@ sub setup_ecn()
while ( read_a_line ) { while ( read_a_line ) {
my ($interface, $hosts ) = split_line 1, 2, 'ecn file entry', { interface => 0, hosts => 1 }; my ($interface, $hosts ) = split_line 2, 'ecn file entry', { interface => 0, hosts => 1 };
fatal_error 'INTERFACE must be specified' if $interface eq '-';
fatal_error "Unknown interface ($interface)" unless known_interface $interface; fatal_error "Unknown interface ($interface)" unless known_interface $interface;
$interfaces{$interface} = 1; $interfaces{$interface} = 1;
@ -256,7 +257,7 @@ sub setup_blacklist() {
$first_entry = 0; $first_entry = 0;
} }
my ( $networks, $protocol, $ports, $options ) = split_line 1, 4, 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 }; my ( $networks, $protocol, $ports, $options ) = split_line 4, 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 };
if ( $options eq '-' ) { if ( $options eq '-' ) {
$options = 'src'; $options = 'src';
@ -359,10 +360,11 @@ sub process_routestopped() {
while ( read_a_line ) { while ( read_a_line ) {
my ($interface, $hosts, $options , $proto, $ports, $sports ) = my ($interface, $hosts, $options , $proto, $ports, $sports ) =
split_line 1, 6, 'routestopped file', { interface => 1, hosts => 2, options => 3, proto => 4, dport => 5, sport => 6 }; split_line 6, 'routestopped file', { interface => 1, hosts => 2, options => 3, proto => 4, dport => 5, sport => 6 };
my $interfaceref; my $interfaceref;
fatal_error 'INTERFACE must be specified' if $interface eq '-';
fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface; fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
$hosts = ALLIP unless $hosts && $hosts ne '-'; $hosts = ALLIP unless $hosts && $hosts ne '-';
@ -898,7 +900,7 @@ sub setup_mac_lists( $ ) {
while ( read_a_line ) { while ( read_a_line ) {
my ( $original_disposition, $interface, $mac, $addresses ) = split_line1 3, 4, 'maclist file', { origdisposition => 0, interface => 1, mac => 2, addresses => 3 }; my ( $original_disposition, $interface, $mac, $addresses ) = split_line1 4, 'maclist file', { disposition => 0, interface => 1, mac => 2, addresses => 3 };
if ( $original_disposition eq 'COMMENT' ) { if ( $original_disposition eq 'COMMENT' ) {
process_comment; process_comment;

14
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -55,13 +55,15 @@ sub initialize() {
sub process_one_masq( ) sub process_one_masq( )
{ {
my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) =
split_line1 2, 8, 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7 }; split_line1 8, 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7 };
if ( $interfacelist eq 'COMMENT' ) { if ( $interfacelist eq 'COMMENT' ) {
process_comment; process_comment;
return 1; return 1;
} }
fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
my $pre_nat; my $pre_nat;
my $add_snat_aliases = $config{ADD_SNAT_ALIASES}; my $add_snat_aliases = $config{ADD_SNAT_ALIASES};
my $destnets = ''; my $destnets = '';
@ -375,7 +377,7 @@ sub setup_nat() {
while ( read_a_line ) { while ( read_a_line ) {
my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file', { external => 1, interface => 1, internal => 2, allints => 3, localnat => 4 }; my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 5, 'nat file', { external => 1, interface => 1, internal => 2, allints => 3, localnat => 4 };
if ( $external eq 'COMMENT' ) { if ( $external eq 'COMMENT' ) {
process_comment; process_comment;
@ -384,6 +386,9 @@ sub setup_nat() {
$digit = defined $digit ? ":$digit" : ''; $digit = defined $digit ? ":$digit" : '';
fatal_error 'EXTERNAL must be specified' if $external eq '-';
fatal_error 'INTERNAL must be specified' if $interfacelist eq '-';
for my $interface ( split_list $interfacelist , 'interface' ) { for my $interface ( split_list $interfacelist , 'interface' ) {
fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface; fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface;
do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat; do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
@ -408,7 +413,7 @@ sub setup_netmap() {
while ( read_a_line ) { while ( read_a_line ) {
my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 4, 8, 'netmap file', { type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 4, dport => 5, sport => 6 }; my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 8, 'netmap file', { type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 4, dport => 5, sport => 6 };
$net3 = ALLIP if $net3 eq '-'; $net3 = ALLIP if $net3 eq '-';
@ -498,7 +503,8 @@ sub setup_netmap() {
@match ); @match );
} }
} else { } else {
fatal_error "Invalid type ($type)"; fatal_error 'TYPE must be specified' if $type eq '-';
fatal_error "Invalid TYPE ($type)";
} }
progress_message " Network $net1 on $iface mapped to $net2 ($type)"; progress_message " Network $net1 on $iface mapped to $net2 ($type)";

13
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -268,14 +268,16 @@ sub start_provider( $$$ ) {
sub process_a_provider() { sub process_a_provider() {
my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) = my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy ) =
split_line 6, 8, 'providers file', { table => 0, number => 1, mark => 2, duplicate => 3, interface => 4, gateway => 5, options => 6, copy => 7 }; split_line 8, 'providers file', { table => 0, number => 1, mark => 2, duplicate => 3, interface => 4, gateway => 5, options => 6, copy => 7 };
fatal_error "Duplicate provider ($table)" if $providers{$table}; fatal_error "Duplicate provider ($table)" if $providers{$table};
fatal_error 'NAME must be specified' if $table eq '-';
fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/; fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;
my $num = numeric_value $number; my $num = numeric_value $number;
fatal_error 'NUMBER must be specified' if $number eq '-';
fatal_error "Invalid Provider number ($number)" unless defined $num; fatal_error "Invalid Provider number ($number)" unless defined $num;
$number = $num; $number = $num;
@ -284,6 +286,8 @@ sub process_a_provider() {
fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number; fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
} }
fatal_error 'INTERFACE must be specified' if $interface eq '-';
( $interface, my $address ) = split /:/, $interface; ( $interface, my $address ) = split /:/, $interface;
my $shared = 0; my $shared = 0;
@ -730,7 +734,7 @@ sub add_a_provider( $$ ) {
} }
sub add_an_rtrule( ) { sub add_an_rtrule( ) {
my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file', { source => 0, dest => 1, provider => 2, priority => 3 }; my ( $source, $dest, $provider, $priority ) = split_line 4, 'route_rules file', { source => 0, dest => 1, provider => 2, priority => 3 };
our $current_if; our $current_if;
@ -805,10 +809,12 @@ sub add_an_rtrule( ) {
} }
sub add_a_route( ) { sub add_a_route( ) {
my ( $provider, $dest, $gateway, $device ) = split_line 2, 4, 'routes file', { provider => 0, dest => 1, gateway => 2, device => 3 }; my ( $provider, $dest, $gateway, $device ) = split_line 4, 'routes file', { provider => 0, dest => 1, gateway => 2, device => 3 };
our $current_if; our $current_if;
fatal_error 'PROVIDER must be specified' if $provider eq '-';
unless ( $providers{$provider} ) { unless ( $providers{$provider} ) {
my $found = 0; my $found = 0;
@ -827,6 +833,7 @@ sub add_a_route( ) {
fatal_error "Unknown provider ($provider)" unless $found; fatal_error "Unknown provider ($provider)" unless $found;
} }
fatal_error 'DEST must be specified' if $dest eq '-';
validate_net ( $dest, 1 ); validate_net ( $dest, 1 );
validate_address ( $gateway, 1 ) if $gateway ne '-'; validate_address ( $gateway, 1 ) if $gateway ne '-';

3
Shorewall/Perl/Shorewall/Proxyarp.pm
View File

@ -123,13 +123,14 @@ sub setup_proxy_arp() {
while ( read_a_line ) { while ( read_a_line ) {
my ( $address, $interface, $external, $haveroute, $persistent ) = my ( $address, $interface, $external, $haveroute, $persistent ) =
split_line 3, 5, { address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 }, $file_opt; split_line 5, { address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 }, $file_opt;
if ( $first_entry ) { if ( $first_entry ) {
progress_message2 "$doing $fn..."; progress_message2 "$doing $fn...";
$first_entry = 0; $first_entry = 0;
} }
fatal_error 'EXTERNAL must be specified' if $external eq '-';
fatal_error "Unknown interface ($external)" unless known_interface $external; fatal_error "Unknown interface ($external)" unless known_interface $external;
fatal_error "Wildcard interface ($external) not allowed" if $external =~ /\+$/; fatal_error "Wildcard interface ($external) not allowed" if $external =~ /\+$/;
$reset{$external} = 1 unless $set{$external}; $reset{$external} = 1 unless $set{$external};

2
Shorewall/Perl/Shorewall/Raw.pm
View File

@ -84,7 +84,7 @@ sub setup_notrack() {
while ( read_a_line ) { while ( read_a_line ) {
my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 }; my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 6, 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
if ( $source eq 'COMMENT' ) { if ( $source eq 'COMMENT' ) {
process_comment; process_comment;

24
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -313,12 +313,16 @@ sub process_a_policy() {
our @zonelist; our @zonelist;
my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) = my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) =
split_line 3, 6, 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ; split_line 6, 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
$loglevel = '' if $loglevel eq '-'; $loglevel = '' if $loglevel eq '-';
$synparams = '' if $synparams eq '-'; $synparams = '' if $synparams eq '-';
$connlimit = '' if $connlimit eq '-'; $connlimit = '' if $connlimit eq '-';
fatal_error 'SOURCE must be specified' if $client eq '-';
fatal_error 'DEST must be specified' if $server eq '-';
fatal_error 'POLICY must be specified' if $originalpolicy eq '-';
my $clientwild = ( "\L$client" eq 'all' ); my $clientwild = ( "\L$client" eq 'all' );
fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client ); fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
@ -1370,7 +1374,7 @@ sub process_actions() {
open_file $file; open_file $file;
while ( read_a_line ) { while ( read_a_line ) {
my ( $action ) = split_line 1, 1, 'action file' , { action => 0 }; my ( $action ) = split_line 1, 'action file' , { action => 0 };
if ( $action =~ /:/ ) { if ( $action =~ /:/ ) {
warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf'; warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@ -1434,13 +1438,15 @@ sub process_action( $) {
my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition ); my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition );
if ( $format == 1 ) { if ( $format == 1 ) {
($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = split_line1 1, 9, 'action file', $rule_commands, {}; ($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = split_line1 9, 'action file', $rule_commands, {};
$origdest = $connlimit = $time = $headers = $condition = '-'; $origdest = $connlimit = $time = $headers = $condition = '-';
} else { } else {
($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition ) ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition )
= split_line1 1, 14, 'action file', \%rulecolumns, $action_commands; = split_line1 14, 'action file', \%rulecolumns, $action_commands;
} }
fatal_error 'TARGET must be specified' if $target eq '-';
if ( $target eq 'COMMENT' ) { if ( $target eq 'COMMENT' ) {
process_comment; process_comment;
next; next;
@ -1524,12 +1530,14 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ); my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition );
if ( $format == 1 ) { if ( $format == 1 ) {
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', \%rulecolumns, $rule_commands; ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 8, 'macro file', \%rulecolumns, $rule_commands;
( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = qw/- - - - - -/; ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = qw/- - - - - -/;
} else { } else {
( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = split_line1 1, 14, 'macro file', \%rulecolumns, $rule_commands; ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = split_line1 14, 'macro file', \%rulecolumns, $rule_commands;
} }
fatal_error 'TARGET must be specified' if $mtarget eq '-';
if ( $mtarget eq 'COMMENT' ) { if ( $mtarget eq 'COMMENT' ) {
process_comment unless $nocomment; process_comment unless $nocomment;
next; next;
@ -2338,7 +2346,9 @@ sub build_zone_list( $$$\$\$ ) {
# #
sub process_rule ( ) { sub process_rule ( ) {
my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition ) my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition )
= split_line1 1, 14, 'rules file', \%rulecolumns, $rule_commands; = split_line1 14, 'rules file', \%rulecolumns, $rule_commands;
fatal_error 'ACTION must be specified' if $target eq '-';
process_comment, return 1 if $target eq 'COMMENT'; process_comment, return 1 if $target eq 'COMMENT';
process_section( $source ), return 1 if $target eq 'SECTION'; process_section( $source ), return 1 if $target eq 'SECTION';

27
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -192,10 +192,12 @@ sub initialize( $ ) {
sub process_tc_rule( ) { sub process_tc_rule( ) {
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) = my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) =
split_line1 2, 13, 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12 }; split_line1 13, 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12 };
our @tccmd; our @tccmd;
fatal_error 'MARK must be specified' if $originalmark eq '-';
if ( $originalmark eq 'COMMENT' ) { if ( $originalmark eq 'COMMENT' ) {
process_comment; process_comment;
return; return;
@ -511,8 +513,9 @@ sub process_flow($) {
} }
sub process_simple_device() { sub process_simple_device() {
my ( $device , $type , $in_bandwidth , $out_part ) = split_line 1, 4, 'tcinterfaces', { device => 0, type => 1, in_bandwidth => 2, out_bandwidth => 3 }; my ( $device , $type , $in_bandwidth , $out_part ) = split_line 4, 'tcinterfaces', { interface => 0, type => 1, in_bandwidth => 2, out_bandwidth => 3 };
fatal_error 'INTERFACE must be specified' if $device eq '-';
fatal_error "Duplicate INTERFACE ($device)" if $tcdevices{$device}; fatal_error "Duplicate INTERFACE ($device)" if $tcdevices{$device};
fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/; fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
@ -645,8 +648,9 @@ sub process_simple_device() {
} }
sub validate_tc_device( ) { sub validate_tc_device( ) {
my ( $device, $inband, $outband , $options , $redirected ) = split_line 3, 5, 'tcdevices', { device => 0, in_bandwidth => 1, out_bandwidth => 2, options => 3, redirect => 4 }; my ( $device, $inband, $outband , $options , $redirected ) = split_line 5, 'tcdevices', { interface => 0, in_bandwidth => 1, out_bandwidth => 2, options => 3, redirect => 4 };
fatal_error 'INTERFACE must be specified' if $device eq '-';
fatal_error "Invalid tcdevices entry" if $outband eq '-'; fatal_error "Invalid tcdevices entry" if $outband eq '-';
my $devnumber; my $devnumber;
@ -809,7 +813,7 @@ sub dev_by_number( $ ) {
sub validate_tc_class( ) { sub validate_tc_class( ) {
my ( $devclass, $mark, $rate, $ceil, $prio, $options ) = my ( $devclass, $mark, $rate, $ceil, $prio, $options ) =
split_line 4, 6, 'tcclasses file', { device => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 }; split_line 6, 'tcclasses file', { interface => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 };
my $classnumber = 0; my $classnumber = 0;
my $devref; my $devref;
my $device = $devclass; my $device = $devclass;
@ -817,6 +821,9 @@ sub validate_tc_class( ) {
my $parentclass = 1; my $parentclass = 1;
my $parentref; my $parentref;
fatal_error 'INTERFACE must be specified' if $devclass eq '-';
fatal_error 'CEIL must be specified' if $ceil eq '-';
if ( $devclass =~ /:/ ) { if ( $devclass =~ /:/ ) {
( $device, my ($number, $subnumber, $rest ) ) = split /:/, $device, 4; ( $device, my ($number, $subnumber, $rest ) ) = split /:/, $device, 4;
fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest; fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest;
@ -1030,7 +1037,9 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x
# #
sub process_tc_filter() { sub process_tc_filter() {
my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 2, 8, 'tcfilters file', { device => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 }; my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 8, 'tcfilters file', { interface => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 };
fatal_error 'CLASS must be specified' if $devclass eq '-';
my ($device, $class, $rest ) = split /:/, $devclass, 3; my ($device, $class, $rest ) = split /:/, $devclass, 3;
@ -1330,7 +1339,9 @@ sub process_tcfilters() {
# Process a tcpri record # Process a tcpri record
# #
sub process_tc_priority() { sub process_tc_priority() {
my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 1, 6, 'tcpri', { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 }; my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 6, 'tcpri', { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 };
fatal_error 'BAND must be specified' if $band eq '-';
if ( $band eq 'COMMENT' ) { if ( $band eq 'COMMENT' ) {
process_comment; process_comment;
@ -1669,7 +1680,9 @@ sub setup_traffic_shaping() {
# #
sub process_secmark_rule() { sub process_secmark_rule() {
my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) = my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) =
split_line1( 2, 9 , 'Secmarks file' , { secmark => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8 } ); split_line1( 9 , 'Secmarks file' , { secmark => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8 } );
fatal_error 'SECMARK must be specified' if $secmark eq '-';
if ( $secmark eq 'COMMENT' ) { if ( $secmark eq 'COMMENT' ) {
process_comment; process_comment;

5
Shorewall/Perl/Shorewall/Tunnels.pm
View File

@ -284,7 +284,10 @@ sub setup_tunnels() {
while ( read_a_line ) { while ( read_a_line ) {
my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file', { kind => 0, zone => 1, gateway => 2, gateway_zone => 3 }; my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 4, 'tunnels file', { kind => 0, zone => 1, gateway => 2, gateway_zone => 3 };
fatal_error 'TYPE must be specified' if $kind eq '-';
fatal_error 'ZONE must be specified' if $zone eq '-';
if ( $kind eq 'COMMENT' ) { if ( $kind eq 'COMMENT' ) {
process_comment; process_comment;

13
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -403,7 +403,9 @@ sub process_zone( \$ ) {
my @parents; my @parents;
my ($zone, $type, $options, $in_options, $out_options ) = my ($zone, $type, $options, $in_options, $out_options ) =
split_line 1, 5, 'zones file', { zone => 0, type => 1, options => 2, in_options => 3, out_options => 4 }; split_line 5, 'zones file', { zone => 0, type => 1, options => 2, in_options => 3, out_options => 4 };
fatal_error 'ZONE must be specified' if $zone eq '-';
if ( $zone =~ /(\w+):([\w,]+)/ ) { if ( $zone =~ /(\w+):([\w,]+)/ ) {
$zone = $1; $zone = $1;
@ -872,7 +874,7 @@ sub process_interface( $$ ) {
my ( $nextinum, $export ) = @_; my ( $nextinum, $export ) = @_;
my $netsref = ''; my $netsref = '';
my $filterref = []; my $filterref = [];
my ($zone, $originalinterface, $bcasts, $options ) = split_line 2, 4, 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 }; my ($zone, $originalinterface, $bcasts, $options ) = split_line 4, 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
my $zoneref; my $zoneref;
my $bridge = ''; my $bridge = '';
@ -885,6 +887,8 @@ sub process_interface( $$ ) {
fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} == FIREWALL; fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} == FIREWALL;
} }
fatal_error 'INTERFACE must be specified' if $originalinterface eq '-';
my ($interface, $port, $extra) = split /:/ , $originalinterface, 3; my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;
fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra; fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
@ -1728,7 +1732,10 @@ sub compile_updown() {
# #
sub process_host( ) { sub process_host( ) {
my $ipsec = 0; my $ipsec = 0;
my ($zone, $hosts, $options ) = split_line 2, 3, 'hosts file', { zone => 0, hosts => 1, options => 2 }; my ($zone, $hosts, $options ) = split_line 3, 'hosts file', { zone => 0, hosts => 1, options => 2 };
fatal_error 'ZONE must be specified' if $zone eq '-';
fatal_error 'HOSTS must be specified' if $hosts eq '-';
my $zoneref = $zones{$zone}; my $zoneref = $zones{$zone};
my $type = $zoneref->{type}; my $type = $zoneref->{type};

135
docs/configuration_file_basics.xml
View File

@ -504,10 +504,8 @@ ACCEPT net:\
as <replaceable>column-name</replaceable>/<replaceable>value</replaceable> as <replaceable>column-name</replaceable>/<replaceable>value</replaceable>
pairs.</para> pairs.</para>
<para>Each file has both required and optional columns. The columns up to <para>At any point, you can enter a semicolon (';') followed by one or
the last required column must be specified in the normal way. After that, more specifications of the form:</para>
at any point, you can enter a semicolon (';') followed by one or more
specifications of the form:</para>
<simplelist> <simplelist>
<member><replaceable>column-name</replaceable>=<replaceable>value</replaceable></member> <member><replaceable>column-name</replaceable>=<replaceable>value</replaceable></member>
@ -524,225 +522,169 @@ ACCEPT net:\
</note> </note>
<informaltable> <informaltable>
<tgroup cols="3"> <tgroup cols="2">
<tbody> <tbody>
<row> <row>
<entry><emphasis role="bold">File</emphasis></entry> <entry><emphasis role="bold">File</emphasis></entry>
<entry><emphasis role="bold">Right-most required <entry><emphasis role="bold">Column names</emphasis></entry>
Column</emphasis></entry>
<entry><emphasis role="bold">Remaining column
names</emphasis></entry>
</row> </row>
<row> <row>
<entry>accounting</entry> <entry>accounting</entry>
<entry>ACTION</entry> <entry>action,chain, source, dest, proto, dport, sport, user,
mark, ipsec, headers</entry>
<entry>chain, source, dest, proto, dport, sport, user, mark,
ipsec, headers</entry>
</row> </row>
<row> <row>
<entry>blacklist</entry> <entry>blacklist</entry>
<entry>ADDRESS/SUBNET</entry> <entry>networks,proto,port,options</entry>
<entry>proto,port,options</entry>
</row> </row>
<row> <row>
<entry>ecn</entry> <entry>ecn</entry>
<entry>INTERFACE</entry> <entry>interface,hosts</entry>
<entry>hosts</entry>
</row> </row>
<row> <row>
<entry>hosts</entry> <entry>hosts</entry>
<entry>ZONE</entry> <entry>zone,hosts,options</entry>
<entry>hosts,options</entry>
</row> </row>
<row> <row>
<entry>interfaces</entry> <entry>interfaces</entry>
<entry>INTERFACE</entry> <entry>zone,interface,broadcast,options</entry>
<entry>broadcast,options</entry>
</row> </row>
<row> <row>
<entry>maclist</entry> <entry>maclist</entry>
<entry>MAC</entry> <entry>disposition,interface,mac,addresses</entry>
<entry>addresses</entry>
</row> </row>
<row> <row>
<entry>masq</entry> <entry>masq</entry>
<entry>SOURCE</entry> <entry>interface,source,address,proto,port,ipsec,mark,user</entry>
<entry>address,proto,port,ipsec,mark,user</entry>
</row> </row>
<row> <row>
<entry>nat</entry> <entry>nat</entry>
<entry>EXTERNAL</entry> <entry>external,interface,internal,allints,localnat</entry>
<entry>interface,internal,allints,localnat</entry>
</row> </row>
<row> <row>
<entry>netmap</entry> <entry>netmap</entry>
<entry>NET2</entry> <entry>type,net1,interface,net2,net3,proto,dport,sport</entry>
<entry>net3,proto,dport,sport</entry>
</row> </row>
<row> <row>
<entry>notrack</entry> <entry>notrack</entry>
<entry>SOURCE</entry> <entry>source,dest,proto,dport,sport,user</entry>
<entry>dest,proto,dport,sport,user</entry>
</row> </row>
<row> <row>
<entry>policy</entry> <entry>policy</entry>
<entry>POLICY</entry> <entry>source,dest,policy,loglevel,limit,connlimit</entry>
<entry>loglevel,limit,connlimit</entry>
</row> </row>
<row> <row>
<entry>providers</entry> <entry>providers</entry>
<entry>GATEWAY</entry> <entry>table,number,mark,duplicate,interface,gateway,options,copy</entry>
<entry>options,copy</entry>
</row> </row>
<row> <row>
<entry>proxyarp</entry> <entry>proxyarp</entry>
<entry>EXTERNAL</entry> <entry>address,interface,external,haveroute,persistent</entry>
<entry>haveroute,persistent</entry>
</row> </row>
<row> <row>
<entry>route_rules</entry> <entry>route_rules</entry>
<entry>PRIORITY</entry> <entry>source,dest,provider,priority</entry>
<entry>N/A</entry>
</row> </row>
<row> <row>
<entry>routestopped</entry> <entry>routestopped</entry>
<entry>INTERFACE</entry> <entry>interface,hosts,options,proto,dport,sport</entry>
<entry>hosts,options,proto,dport,sport</entry>
</row> </row>
<row> <row>
<entry>rules</entry> <entry>rules</entry>
<entry>ACTION</entry> <entry>action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch</entry>
<entry>source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch</entry>
</row> </row>
<row> <row>
<entry>secmarks</entry> <entry>secmarks</entry>
<entry>CHAIN</entry> <entry>secmark,source,dest,proto,dport,sport,user,mark</entry>
<entry>source,dest,proto,dport,sport,user,mark</entry>
</row> </row>
<row> <row>
<entry>tcclasses</entry> <entry>tcclasses</entry>
<entry>CEIL</entry> <entry>interface,mark,rate,ceil,prio,options</entry>
<entry>prio,options</entry>
</row> </row>
<row> <row>
<entry>tcdevices</entry> <entry>tcdevices</entry>
<entry>OUT_BANDWIDTH</entry> <entry>interface,in_bandwidth,out_bandwidth,options,redirect</entry>
<entry>options,redirect</entry>
</row> </row>
<row> <row>
<entry>tcfilters</entry> <entry>tcfilters</entry>
<entry>SOURCE</entry> <entry>interface,source,dest,proto,dport,sport,tos,length</entry>
<entry>dest,proto,dport,sport,tos,length</entry>
</row> </row>
<row> <row>
<entry>tcinterfaces</entry> <entry>tcinterfaces</entry>
<entry>DEVICE</entry> <entry>interface,type,in_bandwidth,out_bandwidth</entry>
<entry>type,in_bandwidth,out_bandwidth</entry>
</row> </row>
<row> <row>
<entry>tcpri</entry> <entry>tcpri</entry>
<entry>BAND</entry> <entry>band,proto,port,address,interface,helper</entry>
<entry>proto,port,address,interface,helper</entry>
</row> </row>
<row> <row>
<entry>tcrules</entry> <entry>tcrules</entry>
<entry>SOURCE</entry> <entry>mark,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers</entry>
<entry>dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers</entry>
</row> </row>
<row> <row>
<entry>tos</entry> <entry>tos</entry>
<entry>TOS</entry> <entry>source,dest,proto,dport,sport,tos,mark</entry>
<entry>mark</entry>
</row> </row>
<row> <row>
<entry>tunnels</entry> <entry>tunnels</entry>
<entry>ZONE</entry> <entry>type,zone,gateway,gateway_zone</entry>
<entry>gateway,gateway_zone</entry>
</row> </row>
<row> <row>
<entry>zones</entry> <entry>zones</entry>
<entry>ZONE</entry> <entry>zone,type,options,in_options,out_options</entry>
<entry>type,options,in_options,out_options</entry>
</row> </row>
</tbody> </tbody>
</tgroup> </tgroup>
@ -968,9 +910,9 @@ DNAT net loc:10.0.0.1 tcp 80 ; mark="88"</
<caution> <caution>
<para>Prior to Shorewall 4.4.17, if you are using <ulink <para>Prior to Shorewall 4.4.17, if you are using <ulink
url="Shorewall-Lite.html">Shorewall Lite</ulink> , it is not url="Shorewall-Lite.html">Shorewall Lite</ulink> , it is not advisable
advisable to use INCLUDE in the <filename>params</filename> file in an to use INCLUDE in the <filename>params</filename> file in an export
export directory if you set EXPORTPARAMS=Yes in <ulink directory if you set EXPORTPARAMS=Yes in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5). If you do url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5). If you do
that, you must ensure that the included file is also present on the that, you must ensure that the included file is also present on the
firewall system's <filename firewall system's <filename
@ -1235,11 +1177,10 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
</listitem> </listitem>
<listitem> <listitem>
<para>If you are using <ulink <para>If you are using <ulink url="Shorewall-Lite.html">Shorewall
url="Shorewall-Lite.html">Shorewall Lite</ulink> and if the Lite</ulink> and if the <filename>params</filename> script needs to
<filename>params</filename> script needs to set shell variables based set shell variables based on the configuration of the firewall system,
on the configuration of the firewall system, you can use this you can use this trick:</para>
trick:</para>
<programlisting>EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</programlisting> <programlisting>EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</programlisting>